Develop Reference

Setting up postfix and dovecot and having authenticity failed issues

I have setup postfix, dovecot and rainloop on Ubuntu Server 20.04 and having some issues with authentication on the SMTP connection, I can successfully login using rainloop and I can also access via ios externally and view emails but I am unable to send, the only way that I can send using Rainloop is to uncheck the use authentication checkbox in the domains.
In rainloop domain setup for the server if I choose SSL/TLS on SMTP and Test the connection I get
stream_socket_client(): unable to connect to ssl://127.0.0.1:465 (Connection refused)
here are my configs for postfix and dovecot
main.cf
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.arpradio.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.arpradio.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.arpradio.com
mydomain = arpradio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, arpradio.com, mail.arpradio.com, localhost.arpradio.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
# mailbox_command = /usr/bin/procmail
# RBL
strict_rfc821_envelopes = yes
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unverified_recipient_reject_code = 554
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
I found this in /var/log/auth.log
auth: pam_unix(dovecot:auth): Couldn't open /etc/securetty: No such file or directory
auth: pam_unix(dovecot:auth): check pass; user unknown
auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user#domain.com rhost=<IP>

Your problem is that you have not enabled smtps listener in postfix master.cf. You need to uncomment that listener.

Postfix issue Relay access denied through telnet

Getting error relay access denied on a CentOS server with postfix and dovecot installed, trying to set up a catchall email on a CentOS 7 server. Fresh installation, installed Nano text editor and nothing else, pretty much a clean server in case it matters.
error im getting:
[root#accountcreator ssl]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.tmkiller.site ESMTP Postfix
EHLO howdy.com
250-mail.tmkiller.site
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: testAccount
250 2.1.0 Ok
rcpt to: myEmail#gmail.com
454 4.7.1 <myEmail#gmail.com>: Relay access denied
My main.cf file:
myhostname = mail.mydomain.site
mydomain = mydomain.site
myorigin = $mydomain
home_mailbox = mail/
mynetworks = 127.0.0.0/8
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Yes, i have replaced mydomain.site with my actual domain.
/etc/hosts file:
127.0.0.1 AccountCreator AccountCreator
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4
# The following lines are desirable for IPv6 capable hosts
::1 AccountCreator AccountCreator
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdom$
::1 localhost localhost.localdomain localhost6 localhost6.localdom$
serverIP mail.mydomain.site
I've tried reinstalling the OS and starting all over through this guide:
https://hostpresto.com/community/tutorials/how-to-setup-an-email-server-on-centos7/
I've tried googling around, tried suggestions on several Stack Overflow threads, didn't manage to find a fix that resolved this issue.
I would like to get anything#mydomain.com to forward to catchall#mydomain.com.

You need to setup smtpd_relay_restrictions to allow your domain to send mail through, as it stands it appears your configuration is to only receive emails to your domain.
While you're at it, you should also configure smtpd_client_restrictions and smtpd_sender_restrictions too.
Another thing, if this is centos 7, install roundcube instead of squirrelmail for web mail. It's simpler to maintain and looks cooler.

in your case, under mynetworks you should add the IP address of your server
reload the postfix configuration.
There are other "best practices" how to accomplish this with hash: files for example, so you don't hardcode anything into your configuration, but have separate files that you can administer.
You can read more about it at the postfix official documentation here
also this looks like a typo permit_mynetworks:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$

smtpd_client_restrictions : difference between main.cf and master.cf

Where should the smtpd_client_restrictions be put: in main.cf or in master.cf ?
For me, only the master.cf seems to be working (because my postfix is working fine as a relay) :
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated
in main.cf the following reject rule is not applied:
smtpd_client_restrictions = permit_mynetworks, reject
Thanks

You need to comment the line in master.cf for client restrictions in submission. Submission is for linux CLI users on the same machine. The client restrictions you're trying to use (permit_mynetworks, reject) will only work if the client connects to the smtp ports. An example of a working client restrictions statement in main.cf is like below on my mail relay in the cloud.
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, permit

From what I can recall (someone more knowledgeable can confirm/deny) main.cf restrictions will be by default applied to all smtp processes (so if you have submission/smtps/smtp), but are overwritten by configurations on the actual process (master.cf)
Therefore I'd assume your main.cf value (with reject) is being overwritten by your value on the process (no reject) thus not getting rejected.

postfix: force authentication from localhost

Commenting
mynetworks = 127.0.0.0/8
users with shell on system can again send emails using postfix:
main.cf
#mynetworks =
[...]
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
permit_mynetworks,
permit_inet_interfaces,
# reject_sender_login_mismatch,
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
So, also put:
reject_mynetworks,
same problem
I only need force SASL authentication either from lan and from 127.0.0.1 too.

Commenting out mynetworks implies postfix to generate mynetworks based on the value of mynetworks_style
So set mynetworks to empty string to fix this.

postfix virtualdomain - message bouncing - unknown user error in maillog

I have configured the virtual domain in postfix 2.x
Please check the configuration below:
virtual_mailbox_domains = ghhdomain.com, krdomain.com, murugeshdomain.com
#setup virtual domains mailbase for mailboxes
virtual_mailbox_base = /var/spool/mail
#create lookup file that maps email addresses to respective mailboxes
virtual_mailbox_map = hash:/etc/postfix/virtual
#who will be the owner of the mailbox file
virtual_uid_maps = static:503
virtual_gid_maps = static:503"
added to /etc/postfix/virtual
info#ghhdomain.com ghhdomain/info
info#krdomain.com krdomain/info"
done postmap /etc/postfix/virtual
while testing
Escape character is '^]'.
220 mail.murugeshdomain.com ESMTP Postfix
ehlo ghhdomain.com
250-mail.murugeshdomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
And.. When I do mail from: info#ghhdomain.com and rcpt to:info#ghhdomain.com
I get the enter code hereror in the log.
bounced - unknown user "info#ghhdomain.com
What is that missing,
TIA
Hari

Here you use the virtual_mailbox_map = hash:/etc/postfix/virtual, ie you use the virtual alias file for the virtual mailbox map. You are not suppose to do this.
So please use different files for virtual alias and virtual mailbox
So you can use,
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/vmailbox:
info#ghhdomain.com ghhdomain/info
info#krdomain.com krdomain/info
you can verify more details in this link

make aliases for local accounts/users
in /etc/postfix/main.cf edit :
virtual_alias_maps = mysql:/etc/postfix/virtual-alias-maps.cf
regexp:/etc/postfix/local-users-aliases
# ---- put everything on same line ---------
Now Postfix will build aliases list from mysql table (you can use and/or hash from file ... postfix accept a list of sources) and using regular expresion from file
write local-users-aliases
echo "/^(webmaster|www|ftp|postmaster|root|MAILER-DAEMON|abuse)/ u_mail#u_domain" >
/etc/postfix/local-users-aliases
after /etc/init.d/postfix restart any mail sent to postmaster fro ex will go to u_mail#u_domain